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The  SAP  R/3  universe 

First  of  all:  SAP  is  huge  and  confusing 

Sometimes  difficult  to  understand  SAP 
people  or  documentation 

SAP  makes  a  great  deal  of  naming 
everything  differently  (DIAG,  RFC,  SAP- 
routers  , ...) 

The  main  achievment  seems  to  be  scalability 
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Simple  SAP  R/3  setup 


Old  fashioned  three  tier  database  application 


■ 


Application  |^ 
Server 


About  half  a  dozen  listeners 
and  scheduler;  application  logic 


Database,  often  Oracle 


or  MaxDB 


-  Runs  on  a  number  of  platforms 

-  Supports  mainframes,  Linux  and  even  Windows 


-  Encapsulates  most  of  the  platform 
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Complex  SAP  R/3  setup 


Old  fashioned  three  tier  database  application 


Up  to  several 
1000  clients 


Webclients 


Batchjobs 


Application 
Server 


Application 
Server 
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Misnomer, 
is  a  proxy 


Database 


Database 


Replication, 
batch  jobs 


About  half  a  dozen  listeners 
and  scheduler;  application  logic 
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Attacks  on  SAP  installations 


Most  SAP  experts  focus  solely  on  application 
layer  issues 

-  User  priviledges,  access  control 

System  administrators  don't  touch  SAP 
Bad  protection  on  OS  level 
Important:  That's  not  necessarily  SAP's  fault 
But:  What  do  they  do  to  help  it? 
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A  lot  of  documentation 

-  Often  incomprehensible  for  networkers 

A  number  of  documented  APIs 

-  Plug-in  encryption 

-  Access  control 

A  set  of  recommendations 

-  Often  not  obeyed  to  by  op  staff 
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How  to  implement  security 

Allocate  lots  of  time 

Understand  the  system  and  the  language 

Harden  every  server 

Place  firewalls 

Encrypt  data  transmission 
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SAP  client  protocol 

Most  attacks  are  commodity  attacks  that 
apply  to  every  system 

Vulnerabilites  to  application  server  have 
been  addressed  by  FX 

Client  protocol  between  sapGUIs  and 
application  servers  is  often  unprotected 

Once  claimed  encrypted  ,  now  officially 
disguised 


Nils  Magnus,  Jochen  Kellner:  Reverse  Engineering  the  SAP  R/3  Client  Protocol 


TAG 


Where  .com  meets  .org  21C3,  Berlin 

27  December  2004 


Client  protocol  details 

Protocol  internally  called  DIAG 

-  (not  to  be  confused  with  the  RFC  protocol  of  the  same 
name!) 

Full  specifications  available  only  with  NDA 
Stream  based  network  connections 

-  TCP,  but  potentially  over  several  other  protocols,  too 

Some  details  are  available  within  the  SAP  help 
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More  details 

TCP/3200  +x 

where  x  is  the  instance  identifier 
C/S-based  protocol,  exchanging  blobs 

-  10  Request  to  AS 

-  20  Response  with  form  data  and  result  data 

-  30  New  data  and  new  requests 

-  40  GOTO  20 
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Scanner  result 


#  nmap  (V.  3.00)  scan  initiated  as:  nmap  -sT  -v  -p3200-3900  -o  nmap-tcpr03.txt  1 0.36. U.U4 

Interesting  ports  on  (1 0.36.14. 144): 

(The  694  ports  scanned  but  not  shown  below  are  in  state:  closed) 


3200/tcp 

open 

unknown 

3300/tcp 

open 

unknown 

3600/tcp 

open 

unknown 

3773/tcp 

open 

unknown 

3777/tcp 

open 

unknown 

3786/tcp 

open 

unknown 

3900/tcp 

open 

udt_os 

#  Nmap  run  completed  —  1  IP  address  (1  host  up)  scanned  in  22  seconds 


Port 


State 


Service 
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Trace  (client  side) 


sap-conversation.tcp-  Ethereal 


IBM 


I  File    Edit   View   Go    Capture    Analyze    Statistics  Help 


3)    *    *   I  *  ¥ 


Filter: 


Expression. ..j  |      Leerenj  |  ^  Anwendenj 


No. 


Time 


Source 


Destination 


'rotocol  Info 


1  15:55:03.77[  10.36. 14. 205  10.36.14.144  TCP  1460  >  3200  f SYH1  Seq=0  flck=0  Hin=65535  Len=0  HSS=1460 

2  15:55:03.77^  10.36. 14. 205  10.36.14.144  TCP  1460  >  3200  [SYH]  Seq=0  flck=0  Hin=65535  Len=0  HSS=I460 

3  15:55:03.78C  10.36.14.205  10.36.14.144  TCP  1460  >  3200  [HCK]  Seq=l  flck=0  Hin=65535  Len=0 

4  15:55:03.781  10.36.14.205  10.36.14.144  TCP  1460  >  3200  [PSH,  HCK]  Seq=l  Hck=0  Hin=65535  Len=266 

5  15:55:03.78]  10.36.14.205  10.36.14.144  TCP  [TCP  Pup  HCK  3#1]  1460  >  3200  [HCK]  Seg=267  flck=0  Min=65535  Len=0 


6  15:55:03.79^  10.36.14.205 


10.36.14.144 


TCP       [TCP  Pup  HCK  3#2]  1460  >  3200  [HCK]  Seg=l  Hck=0  Hin=65535  Len=0 


7  15:55:03, 

8  15:55:03, 

9  15:55:04, 

10  15:55:04, 

11  15:55:39, 

12  15:55:39, 

13  15:55:41, 

14  15:55:41, 

15  15:55:41, 

16  15:55:41, 

17  15:55:42, 


79J  10.36.14.205  10.36.14.144  TCP  [TCP  Retransnission]  1460  >  3200  [PSH,  HCK]  Seq=l  Hck=0  Hin=65535  Len=266 

79J  10.36.14.205  10.36.14.144  TCP  [TCP  Pup  HCK  3#3]  1460  >  3200  [HCK]  Seg=267  Hck=0  Hin=65535  Len=0 

34C  10.36.14.205  10.36.14.144  TCP  1460  >  3200  [HCK]  Seq=267  Hck=2833  Hin=62702  Len=0 

35E  10.36.14.205  10.36.14.144  TCP  1460  >  3200  [HCK]  Seq=267  Hck=2833  Hin=62702  Len=0 

54*  10.36.14.205  10.36.14.144  TCP  1460  >  3200  [PSH,  HCK]  Seq=267  Hck=2833  Min=62702  Len=316 

55E  10.36.14.205  10.36.14.144  TCP  [TCP  Retransnission]  1460  >  3200  [PSH,  HCK]  Seq=267  Hck=2833  Hin=62702  Len=31 

10.36.14.205  10.36.14.144  TCP  1460  >  3200  [HCK]  Seq=583  Hck=2907  Hin=62628  Len=0 

10.36.14.205  10.36.14.144  TCP  1460  >  3200  [HCK]  Seq=583  Hck=2907  Hin=62628  Len=0 

10.36.14.205  10.36.14.144  TCP  1460  >  3200  [HCK]  Seq=583  Hck=2981  Hin=62554  Len=0 

10.36.14.205  10.36.14.144  TCP  1460  >  3200  [HCK]  Seq=583  Hck=2981  Hin=62554  Len=0 

20-:  10.36.14.205  10.36.14.144  TCP  1460  >  3200  [PSH,  HCK]  Seq=583  Hck=3727  Min=61808  Len=55 


59t 
59E 
99t 
99E 


|>  Frane  6  (60  bytes  on  uire,  60  bytes  captured) 

>  Ethernet  II,  Src:  00:0b:db:d6:b0:d2,  Dst:  08:00:20:b8:e6:d0 

$  Internet  Protocol,  Src  Hddr:  10.36.14.205  (10.36.14.205),  Pst  Hddr:  10.36.14.144  (10.36. 14. 144> 

t>  Transnission  Control  Protocol,  Src  Port:  1460  (1460),  Pst  Port:  3200  (3200),  Seq:  1,  Hck:  0,  Len:  0 
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Block  transmission 

First  4  octetts  are  block  length 

A  number  of  similiar  starting  octetts 

Scrambled  data  payload 

Starts  with  0x1  f  0x9d 

From  /etc/magic: 


#  standard  unix  compress 
0     string  \037\235 
>2     byte&0x80  >0 
>2     byte&Oxlf  x 


%d  bits 


compressed  data 
block  compressed 
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Compressed  data  payload 

Looks  like  the  LZC  algorithm 

Also  used  in  old-fashioned  compress  (1) 

Strings  LZ.*  can  be  found  in  sapGUI  binary 

Just  extracting  the  payload  and  using 
uncompres  does  not  work 

Bit-length  field  is  wrong 
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LinuxTag 

Leading  Free  Software  and  Linux  event 

Talks  and  exhibition 

Karlsruhe,  Germany:  June  22    25,  2005 


Call  for  Papers  still  open  until  January  15 

http://www.linuxtag.org/ 


Nils  Magnus,  Jochen  Kellner:  Reverse  Engineering  the  SAP  R/3  Client  Protocol 


TAG 


Where  .com  meets  .org 


21C3,  Berlin 

27  December  2004 


Contact 

Nils  Magnus 

Program  Chairp  LinuxTag  e,  V. 

University  of  Kaiserslautern 
67653  Kaiserslautern 
T  +49-631-310-9371 

magnusfdlinuxtag.org 
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